Cybersecurity researchers have found a stealthy backdoor named Effluence which is deployed pursuing the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Information Middle and Server.
“The malware functions as a persistent backdoor and is not remediated by making use of patches to Confluence,” Aon’s Stroz Friedberg Incident Reaction Products and services claimed in an analysis posted earlier this 7 days.
“The backdoor supplies ability for lateral movement to other network resources in addition to exfiltration of information from Confluence. Importantly, attackers can access the backdoor remotely without the need of authenticating to Confluence.”
The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS rating: 10.), a critical bug in Atlassian that could be abused to build unauthorized Confluence administrator accounts and entry Confluence servers.
Atlassian has due to the fact disclosed a 2nd flaw acknowledged as CVE-2023-22518 (CVSS score: 10.) that an attacker can also just take edge of to established up a rogue administrator account, ensuing in a comprehensive reduction of confidentiality, integrity, and availability.
What would make the newest attack stand out is that the adversary acquired preliminary obtain by means of CVE-2023-22515 and embedded a novel web shell that grants persistent remote entry to each web webpage on the server, together with the unauthenticated login web page, devoid of the want for a valid person account.
The web shell, created up of a loader and payload, is passive, allowing requests to go through it unnoticed right up until a request matching a particular parameter is supplied, at which stage it triggers its destructive actions by executing a sequence of actions.
This contains generating a new admin account, purging logs to protect up the forensic path, jogging arbitrary commands on the fundamental server, enumerating, examining, and deleting data files, and compiling intensive details about the Atlassian setting.
The loader element, per Aon, acts as a typical Confluence plugin and is accountable for decrypting and launching the payload.
“Various of the web shell capabilities rely on Confluence-specific APIs,” security researcher Zachary Reichert mentioned.
“However, the plugin and the loader system look to depend only on common Atlassian APIs and are most likely applicable to JIRA, Bitbucket, or other Atlassian products and solutions the place an attacker can install the plugin.”
Located this report interesting? Follow us on Twitter and LinkedIn to browse far more special content material we article.
Some parts of this article are sourced from:
thehackernews.com